Risk management happens across the whole of any enterprise, whether or not it is formalised and explicit.

Risk management is management with recognition of the effects of uncertainty on the objectives. All management needs to take uncertainty into account, so all management in an enterprise involves some form of risk management.

If the enterprise has a formalised risk management program, that program may or may not extend to all branches of management across the enterprise. Where the formalised program does not reach, the local managers will find their own way to address uncertainty, which may be more or less formal and explicit, and more or less effective.

More formality may not lead to more effect. We have all seen risk management processes that are more about going through the prescribed steps than about understanding and acting on the effects of uncertainty. The primary benefit of being formal and explicit is that the process of understanding and acting on risk can be shared and demonstrated.

Risk management can happen anywhere. Understanding and acting on the effects of uncertainty does not of itself need an integrated risk management program, nor a defined risk management process.

A risk management process has a scope and objectives.

The concept of a risk management ‘process’ is defined in ISO 31000, Clause 5. The section of Clause 5 of most importance in the current topic is 5.3.4 Establishing the context of the risk management process. As usual, HB 436 includes a helpful explanation of how to implement 5.3.4, for instance:

It is less likely that risks will be overlooked and the process will prove more practicable if whatever is being examined is considered logically in smaller parts…if the risks associated with an organization as a whole are to be considered, this could be done by looking at either each organizational unit or each location separately. (HB 436 5.3.4.2)

The description of ‘process’ in ISO 31000 tends to assume that the process covers the whole of an organisation. However, in ISO 31000 the word ‘organisation’ refers to any user of risk management. The user may be an element within a larger organisation or enterprise.

This blog uses the term ‘(discrete) risk management process’ to refer to an identifiable application of risk management that has a defined context and scope.

There may be multiple discrete risk management processes across the enterprise.

If there is no integrated risk management program for the enterprise, discrete formalised risk management processes covering different aspects of the enterprise are likely to be needed anyway. Those discrete risk management processes will probably not take in all risk throughout the whole enterprise, but they may do a good job in those areas of risk that warrant some kind of formalised management.

If there is an integrated risk management program for the enterprise, that may also involve discrete risk management processes. Those discrete activities may conform to prescribed standards and conventions, and may be linked together to form an enterprise view of risk.

Enterprise risk management (ERM) may follow the path of discrete risk management processes within the enterprise. It can also be tackled in a more unitary and centralised way.

Whether or not there is a single enterprise risk management program, it is desirable to encourage active and explicit risk management throughout the enterprise. Decentralising the risk management effort maximises the engagement of local managers in the management of local and enterprise risk. Decentralised effort allows local management to decide local risk treatments, and to be accountable for the consequences. That is unlikely to work efficiently if risk management is the domain a separate ‘risk management’ team that is far removed in organisational distance and outlook.

You may have picked up that I don’t regard consistency and integration of risk management as intrinsically good or important. I have already legitimised discrete or dissimilar risk processes within an enterprise. My position is that it is much better to manage risk effectively than to manage it consistently, so each risk management process should be fit for its particular purpose, users, and stakeholders. ‘Risk management is tailored’ (ISO 31000 Key Principle G). To me that means ‘tailored’ for specific and varied needs within the enterprise.

I am still in favour of enterprise risk management. I just acknowledge that a lot of good risk management is done without being driven by the centralisation paradigm of ERM. I propose ways of linking together discrete and dissimilar risk management processes, without standardising them, for an enterprise view of risk (to be covered in a future topic).

Any discrete risk management process needs to have a definite scope.

Each member of the hierarchy within an organisation will need, at the least, an understanding of the scope of risk management that is and is not a definite responsibility of the position. Each manager will also need an idea of other people’s risk management responsibilities so that issues can be referred appropriately.

The process of dividing up the enterprise risk management effort into manageable parts is one of the first major stumbling blocks in an organisation’s implementation of systematic risk management. If there is to be an enterprise view of overall risk, any separate units of risk management process must be joined together again for an enterprise view. LINK

Discrete and independent risk management processes are the work-horses within formal risk management, even if they are not recognised at all in ISO 31000 or COSO ERM.